Who is going to be in charge of the signing process? Can I sign the content myself? Will Google eventually only sign content it deems appropriate? Can we trust Google to always do the right thing?
Good question. The signing is done by the publisher, using the same digital signature infrastructure that is used for TLS (https). So, the publisher alone has the signing key, and any browser can verify the signature by comparing to the public certificate, signed by a certificate authority.
